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Entirely barebones design on purpose. Can make it pretty later. 











Im Jon Manning! | work at Secret Lab, an Australian game development studio. I’m the author of a number of technical books on game development, and I'm the lead 
developer of Yarn Spinner, an open source tool for building dialogue trees in games. It was originally written for Night in the Woods, and has been used in a very large 
number of games since then. 














JON We're going to assume that you know at least something about WHAT open source is, so we won't spend any time trying to pitch you on the idea of “what if source 
code but available for free”. What we’d like to do today is to encourage you to look at strategic aspects of producing and consuming open source software as part of 
your game’s development cycle. 








What's “Strategy” here? 


e Steps you can take 

e Maximise benefit and 
minimise risk 

e In the short, medium and 
long term 








Intentional steps you can take to maximise benefit and minimise risk when it comes to your studio’s use of open source software in the short, medium and long term 

















And l'm Vicky. I'm based near Portland, Oregon and I'm an open source strategist in Corporate America. This means I'm a thought leader who helps enterprises and 


SMBs think out of the box and disrupt markets through leveraging the synergistic ideation inherent in open source ecosystems, reducing TCO while increasing ROI for 
best in class performance. 


That was a joke, but for reals, | know what these words mean, why they matter, and how they apply to making your studio more successful with open source. Such as: 


6% Use OSS 


OSS Superior 
for dev 


94% OSS Impact on Innovation 
McKinsey, 2021 


O'Reilly Media, 2021 


to billion (22 


using OSS 


60% 


OSS contribution to EU GDP 
Open Forum Europe, 2021 


Nagle, 2018 





In 2021, an O'Reilly Media survey of more than 3400 programmers revealed that 94% of them found open source tools to be superior for software development. 
Also in 2021, McKinsey released a report showing that for some companies, adoption of open source can increase impact on innovation by 3x as much as not. 
2021 was a hot year for numbers, since Open Forum Europe found that open source software contributed between €65 to €95 billion to the EU's GDP. 


A 2018 study by Frank Nagle at Harvard found that even at that time 35% of all Arts, Entertainment, & Recreation companies were using open source. 








Youre alreaoy usingjit: 
Yoü can probablý do 
thatoettern 





Which is to say: Open source is really popular. You're probably using it right now, but using it better will make your gamedev process faster and more efficient. Figuring 
out that sort of stuff? That's what | help companies do and that's what Jon and | are here to help you with today. [HAND OFF TO JON] 








Releasing Open Source 
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[J] And we're gonna start not by talking about _using_ open source but about _releasing_ it. 


(or whatever you want to say) 





Matt Massicotte 
@mattie 


Every project has some absolutely fantastic code in a folder 





called "Utility" that should be open sourced. 


7:54 am - 11/3/2022 - Twitter Web App 


https://twitter.com/mattie/status/1502025076681719808 











Tweet from @mattie: "Every project has some absolutely fantastic code in a folder called ‘Utility’ that should be open sourced." 


We know that gamedevs don't especially have a culture of openness. There's lots of hidden info and NDAs and stuff like that. Game studios play things really close to 
their vests. 








Why release 





Your team has put a lot of work into this code. Why would you put it out there for FREE? 


| get it. The thought of putting a lot of work into something then giving it away to others can be counter-intuitive. 











You can gain more 
than yoüoive 





Global Facility for Disaster Reduction and Recovery (GFDRR), World Bank Project. Invested $1-1.5M USD in GeoNode. Released. Saw 200% return on that investment 
(conservative estimate). 


GFDRR. 2017. Open Data for Resilience Initiative & GeoNode: A Case Study on Institutional Investments in Open Source. Washington, DC: GFDRR. License: Creative 
Commons Attribution CC BY 3.0. 











Recreating wheels 
isnt creative, 





Also, a lot of the work that y'all are doing is solving the same problems over and over again. 


That's not differentiating work. It's busy work. Reinventing that wheel diverts effort from the fun stuff that actually does. make your game different, like the art and 
puzzles and performance. 


| mean, it's like everyone needs some form of event dispatch system and then everyone builds their own, ya know? 











Release the utility stuff 


Keep the creative stuff 








No one sells games based on how impressive their event dispatch system is. It's a necessary piece for running the game, sure, but it's not something the player is really 
aware of. It's a utility, not a differentiator. 


So, how about you release that utility as an open source project to build an ecosystem where gamedevs can spend more time on the game? 

















Reuse the utility stuff 


Do more creative stuff! 





The more open source utilities that studios release, the more options _you'll_ have for dealing with the shared problems that other games have already faced. 


And, most importantly, the more time you'll have for adding features to your game. 
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A beneficial cycle 
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It leads to a healthy beneficial cycle for the entire gamedev ecosystem. 


You share tools, others use tools, they share more new tools, you use those new tools. Lather, rinse, repeat. 
(example on next slide) 

















EA Standarg Template Library 
Ld 


github.com/electronicarts/EASTL 








Possible candidates (apart from YS): 

- Godot (well known OSS game engine) 
- Tiled (2D level editor) 

- DOtween (animation tweening library) 
- EASTL 













GOC 
Making Night 
NUE Së 
Better will PS” VW" 
Open Source 








httpos://youtube.com/watch?v=Qsiu-zzDYww 


for more info on how to release, see Jon's talk from GDC 2017 


https://www.youtube.com/watch?v=Qsiu-zzDYww 
In true open source fashion, gonna use stuff someone's already created: Jon's talk on releasing open source 


Gives us the rest of the time to talk about... 

















bad Open source 


Software supply Chain — 
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Letsitalkë 
sūpply chaint 





























Coffee: 


* 


* 


* 


cafe<-vendor<-distributor<-roaster<-bean importer/seller<-plantation<-farmer 
cafe<-vendor<-distributor<-bottler<-dairy<-farmer 
cafe<-vendor<-distributor<-cup factory<-paper mill<-logging company<-forest 
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Container Ship Ever Given’ stuck in the Suez Canal, Egypt - March 24th, 2021 * by Pierre NIoarkuses flickrcom/photos/pierre_markuse 





Ever Given in 2021 
Stuck for 6 days 
Blocked nearly $10B in trade 


https://en.wikipedia.org/wiki/2021 Suez Canal obstruction 


(Ever Forward in 2022: not blocking traffic but still rather amusing in a lolsob way) 


https://en.wikipedia.org/wiki/File:Container_Ship_%27Ever_Given%27_stuck_in_the_Suez_Canal, Eqypt - March 24th, 2021 _cropped.jpg 

















Software has supply 
chains, too 
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ALL software, not just open source 











PyPI 


requests 922. - 


Overview Dependencies Dependents Compare Versions 


Dependencies 


Direct 4 eee) 


Indirect 0 


View all dependencies 











Dependents 


Direct 38701 MD 
Indirect 28908 D) 


View dependents 





Source: deps.dev 








from deps.dev 

And, like for physical goods, the supply chains can get complex very quickly 

This is an excerpt of a deps.dev report for the very popular ‘requests’ Python library 

It only has 4 dependencies itself, but it's a link at least 66,000 open source software supply chains 
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Thankfully requests is a very stable and healthy project, but what if it weren't? 
With so many projects built upon others, what do you think happens if even one little link in the chain breaks down? 


Some notable examples 

















EQUITOX 
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September 2017. Eguifax is a credit reporting agency in the US. 
They were using Apache Struts--an open source web application framework. Struts had fixed a vulnerability, but Equifax hadn't updated things on their side. 
Attackers used that vulnerability to access the databases and steal sensitive private data from hundreds of millions of individuals. 





John Hammond 
4 @ JohnHammond 


aaaaand then code execution?? #log4j #minecraft 


9:39 PM. Dec 10, 2021 - Twitter Web App 


https://twitter.com/_JohnHammond/status/1469255402290401285 





November 2021 

Became well known because of John Hammond’s demonstration of the vulnerability in Minecraft 

A legit feature in this VERY popular logging library allowed attackers to run arbitrary code or steal data. 
Received the highest possible vulnerability severity rating 

Fixed quickly in the log4j project, but still not updated in many places in the wild. Still a big problem. 


























k snyk Products v Resources v Company v Pricing 


APPLICATION SECURITY | VULNERABILITIES 


Alert: peacenotwar module sabotages npm 
developers in the node-ipc package to protest the 
invasion of Ukraine 


Uran Tal 
March 16, 2022 


On March 15, 2022, users of the popular Vue.js frontend JavaScript framework started experiencing 
what can only be described as a supply chain attack impacting the npm ecosystem. This was the 
result of the nested dependencies node-ipc and peacenotwar being sabotaged as an act of 


protest by the maintainer of the | node-ipc package. 


This security incident involves destructive acts of corrupting files on disk by one maintainer and their 
attempts to hide and restate that deliberate sabotage in different forms. While this is an attack with 
protest-driven motivations, it highlights a larger issue facing the software supply chain: the transitive 


dependencies in your code can have a huge impact on your security. 


Snyk is tracking the security incidents that are portrayed in this article via the following CVEs: CVE- 
2022-23812 for node-ipc and SNYK-JS-PEACENOTWAR-2426724 for peacenotwar and 


oneday-test npm modules. If you are already using Snyk for open source security and supply chain 





security, you will be getting notifications, alerts, and automated pull requests raised by the tooling to 

















Unity Hub Release 
Notes 


3.1.1 


Mar 16, 2022 


HotFix 


e This HotFix eliminates an issue where a 3rd party library was 
able to create an empty text file on the desktop of people 
using this release version. While it was a nuisance, the issue 
did not include malicious functionality. Any user that had this 
file appear on their desktop after updating the Unity Hub can 
delete this file. 



















Found OaUicklē 
Ke QUICKLY 


Jodated slowly 
(or never). 








Thankfully, these broken links in the software supply chain are in open source components. 
These tend to be fixed quite rapidly, with patched releases sometimes cut within hours. 
What _doesn't_ happen are the consumers of those components updating to the latest version. The most common reason for that... 














...1S that relatively few developers or teams even know that they're using the software, let alone that it has a vulnerability and is therefore a broken link in their software 
supply chain. 


This puts these shops just one bad day away from being the next Equifax. 


What can you do about it? 





The full lifecycle of a vulnerability 


me undetected vulnerability mm alerting users to upgrade 
mm fixing known vulnerability == users upgrading to fix version 


median 








e 50 100 150 200 250 


weeks 


Source: GitHub Octoverse 2020 Security Report 








...1S that relatively few developers or teams even know that they're using the software, let alone that it has a vulnerability and is therefore a broken link in their software 


supply chain. 


This puts these shops just one bad day away from being the next Equifax. 


What can you do about it? 














Again: this is ALL software, not just open source - open source just responds faster and is more open about it 
(And that’s another reason to consume and release it!) 
Get a study about ‘responds faster’ to cite 





Whotitoldolabottit? 











So, OK, this all sounds pretty bad, but DO NOT PANIC...unless you work at Panic, in which case, send me my PlayDate. 


There are three steps to avoiding the chaos: 





Know your open 
source supply chain 


Maintain your open 


source supply chain 


. Repeat 








1. Know your open source supply chain 
2. Maintain your open source supply chain 
3. Repeat 


To get you started, here's a little more information on each of these 


1. 


Know your 


open source supply « 
chain LT 
m 
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If you do only one thing, DO THIS 
You don't want to be caught by the next log4j-type problem, 
scrambling to find out whether you're using that vulnerable software somewhere in your supply chain. 














However, it can sometimes be a bit complicated to discover that supply chain. 


Naturally, because this is capitalism, there are plenty of people who are happy to sell you tools to do that for you. 
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C ompositiop 
Analysis 











The keywords you're looking for here are "software composition analysis". 


This has been a pretty big business for a while thanks to open source license compliance concerns, but now it's really taken off for software supply chain security 
concerns. 

















Snyk, Checkmarx, Black Duck/Synopsys, JFrog, Sonatype, WhiteHat/NTT, FOSSA. 
Only a selection of the many options available for this stuff 
All proprietary (not open source) and often expensive 


Not all of them support all programming language ecosystems, so you do need to shop around for more than simply price. 





>» OSS 


ø Review Toolkit 





yithuo.com/oss-review-toolkit/or 











Suite of related tools; Can mix/match based on your needs 

Largely focused on open source software license compliance, but also can get you a view of your supply chain & vulnerabilities 
(for free as in puppy) 

Also won't support all language ecosystems, but at least you get what you pay for and you can modify and configure it as needed. 





IWASP.Dependency-Check 


vasp.orgjvvvv-project-dependency-check 











Utility that checks against CVEs/CPEs 
Auto-updates against latest NIST list 
Open source 
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Push dependency notifications to you; can update code automatically; can automate w/Github Actions 


Gitlab has its own version, if that's more your speed 





2. 


Maintain your 


open source supply 


chain | 
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Using tools like those we've already mentioned can help you discover your software supply chain and even identify weak or broken links in that chain 
But typically it's up to you to Make sure the links get updated appropriately 

















A healthy naoit 





Another one of those things ya gotta do to maintain (software) health. 

Getting exercise, eating right, flossing your teeth, getting good sleep. These are things that we all should do to stay healthy. 
Software also needs maintenance, and like flossing people often decide not to do it. 

Coming up with a routine helps a lot. Which brings me to the third step... 





Do you have to run these scans every day? Probably not, no. 
But you _should_ try to do them before every release, then update anything that needs it (and test to confirm nothing went sideways). 
The worst thing you can do is ignore it. 








‘But wait! What 
aboutthe 
m Oroprietary = 


software in my 
supplyschain 7” 


—_ 


And | know what some of you are thinking out there. You're thinking, "A ha! | don't use open source in my game! | pay for an engine then write the rest myself! Ha hal I've 
run rings around you logically!" 














Proorietaryis 
oūilt on openië 








Well...what do you think that proprietary software is built on? 

(spoiler alert: open source) 

Just because it's proprietary doesn't mean it doesn't have it's own open source software supply chain. 

It does, however, mean that you have a big link in your software supply chain which you can't directly inspect. 

However, thanks to the conditions of most open source licenses, even proprietary creators should acknowledge the open source that it uses in their software. 











7-Zip Command line version | GPL 2 
FMOD. Copyright (c) Firelight Technologies Pty, Ltd. 


ogg | BSD 3-Clause License 
Copyright (c) 2002, Xiph.org Foundation 


Lame | LGPL 2.1 
Copyright (c) 1999 Mark Taylor 


Copyright (c) 2002, Xiph.org Foundation 


< libvorbis | BSD 3-Clause License 
Copyright (c) 2002-2009 Xiph.org Foundation 


MaxRectsBinPack | Public Domain by Jukka Jylanki 
Copyright (c) 2006-2009 Erin Catto http://www. box2d.org 


CUDA | Copyright NVIDIA Corporation. 
All rights reserved. Use of the CUDA SDK requires agreei 
with the NVIDIA Software EULA terms accessed via 
http: //deve Loper. down load.nvidia.com/compute/cuda/9.0/Pr 
pdf (Accessing the EULA requires joining the NVIDIA Dev 
https://developer.nvidia.com/programs/gamedev/register.) 





Clipper Library | Boost Software License 
Copyright © 2010-2014 Angus Johnson. 


brotli.js | MIT License 
Copyright (c) Devon Govett. 


brotli | MIT License 
Copyright (c) 2009, 2010, 2013-2016 by the Brotli Author 


Pako zlib for JavaScript | MIT License 
Copyright (C) 2014-2015 by Vitaly Puzrin 


LZ4 - Fast LZ compression algorithm | BSD 2-Clause Licen 
Copyright (c) 2011-present Yann Collet 








smol-v | Public Domain 
Copyright (c) 2016 Aras Pranckevicius. 


DirectXTex | MIT License 
Copyright (c) Microsoft Corporation. All rights reserved. 


Emscripten | MIT License 
Copyright (c) 2010-2021 Emscripten authors 


Enlighten. Copyright (c) 2014 Geomerics Ltd. 


NDecompiler | MIT License 
Copyright (c) 2010-2014 AlphaSierraPapa, Xamarin 


Nunit | MIT License 
Copyright (c) 2016 Charlie Poole, 2018 Charlie Poole, Rob Prouse 


Open Image Denoise | Apache License 
Copyright 2009-2019 Intel Corporation 


OpenSSL | The OpenSSL toolkit stays under a dual license, i.e., both the 


Autodesk FBX SDK. Copyright (c) 2019 Autodesk, Inc. All rights re conditions of the OpenSSL License and the Original SSLeay license apply to the 
the FBX SDK requires agreeing to and complying with the FBX SDK L toolkit. See below for the actual license texts. Actually both licenses are 


Service Agreement terms accessed at https://unity3d.com/legal/aut BSD-style Open Source licenses. 


In case of any license issues related to 





OpenSSL please contact openssl-coreĢopenssl.org. 


FMOD | Copyright (c), Firelight Technologies Pty, Ltd. 2004-2014. This product includes cryptographic software written by Eric Young 


(eay@cryptsoft.com). 


FreeImage open source image library | FreeImage Public License, v 


Copyright (c) 2003-2008 FreeImage (freeimage.sourceforge.net). 


Optix | Copyright NVIDIA Corporation. 


JsonSchema Validator | Newtonsoft Commercial License (http://www. All rights reserved. Use of the OptiX SDK requires agreeing to and complying 


store/license) 


MipmapGenerationTool 


with the NVIDIA Software Developer Kits, Samples and Tools License Agreement 
terms accessed via the NVIDIA Developer Program (which requires NVIDIA 
Developer registration at https://developer.nvidia.com/designworks/optix/ 





Mip map generation shader algorithm inspired by Microsoft's minie download) via https://developer.download.nvidia. com/designworks/ 
including new features such as support for texture array and 3d V DesignWorks_SDKs_Samples_Tools_License_distrib_use_rights_2017_06_13.pdf? 


mip map generation. 


Microsoft GenerateMipsCS: 











yRKAeNNnb7uHny610Wsw_vaTGPUUSzhH2uOHeM71-MAn1KY5w_0JBwRbchDHnl4uiCf9e_ZvIjjBPRtZ 
nAHpLg1HZU9fJEuIKKk_DRmXOK_pMomu—4XeE2PvPM6T15dj vz5S50y2R-FK9vH3241V_78v6uDKksYj 
pxi9jnx77X35nkJ_S_W3rCpVW8fPvxVwfWu5. You are required to notify NVIDIA prior 





https: //github. com/microsoft/DirectX-Graphics-Samples/blob/master to use of the NVIDIA Optix Software in a commercial application (including a 





Core/Shaders/GenerateMipsCS.hlsli 
MIT License 





Mongoose. Copyright (c) 2013-2015 Cesanta Software Limited. 


Mono.Options | MIT License 

Copyright (C) 2008 Novell (http://www.novell.com) 
Copyright (C) 2009 Federico Di Gregorio. 

Copyright (C) 2012 Xamarin Inc (http://www.xamarin.com) 


Here's not even a quarter of the third-party acknowledgements in Unity. 


plug-in to a commercial application) by visiting https://developer.nvidia.com/ 
sw-notification and submitting the web form reguested information. 


PhysX SDK. Copyright (c) 2002-2016 NVIDIA Corporation. All rights reserved. 
Use of the PhysX SDK reguires agreeing to and complying with the NVIDTA 
GameWorks EULA terms accessed via: https://developer.nvidia.com/content/ 
apply-access-nvidia-physx-source-code. (Accessing the EULA reguires joining the 
GameWorks NVIDIA Developer Program at: https://developer.nvidia.com/programs/ 
gamedev/register.) 

















SBOM: 
Software Bill ofi 
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If you're feeling especially industrious, you can write to that vendor and ask them for an SBOM (S-@). 

This is a complete readout of all the components of the software. 

In the United States, thanks to Executive Order number 14028, SBOMs are becoming not only common but in many cases they may be required. 
It can't hurt to ask, right? 


Trust them 














Or, if nothing else, you can trust them to Know their own open source software supply chains and to act in their enlightened self interest to keep that chain maintained 
and strong. 
If you or the industry has history with the vendor and no real security problems, then this may be an OK option. 


10 Be Cleor: 


Meje Source is 
"Goodiand elel 














Everything we’ve discussed here might sound like it’s onerous, or perhaps a reason to stay AWAY from open source. But that’s the opposite of what we want you to 
come away from this with. Open source is an incredible way to reduce engineering spend, contribute to the wider development community, and also: pretty impossible to 
not use! What we want you to take from this is that your dependencies, whether open source or not, need to be carefully considered and managed in order to ensure that 


you don't run into unexpected problems. 





























Qodesplesda 
Qthesecretlab vmbrasseurcom 
yarnspinner.dev fossforge.com 
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Qodesplesda 
Qthesecretlab 
yarnspinner.dev 
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u 
Wrap-Up Zoom Room 


https://us02web.zoom.us/j/83111280137 
Passcode; 578187 i 











